[Bug stdio/14771] New: add length sanity check to snprintf

[Bug stdio/14771] New: add length sanity check to snprintf

[fweimer at redhat dot com]

http://sourceware.org/bugzilla/show_bug.cgi?id=14771

             Bug #: 14771
           Summary: add length sanity check to snprintf
           Product: glibc
           Version: unspecified
            Status: NEW
          Severity: normal
          Priority: P2
         Component: stdio
        AssignedTo: fweimer@redhat.com
        ReportedBy: fweimer@redhat.com
    Classification: Unclassified


We should reject impossibly large size arguments for snprintf, vsprintf.  This
is similar to bug 13592.  Passing (size_t)-1 to snprintf to emulate the sprintf
behavior might actually be valid code, so this would have to be restricted to
-D_FORTIFY_SOURCE mode.

This is prompted by
<https://lists.exim.org/lurker/message/20121026.080330.74b9147b.en.html>
(CVE-2012-5671).

-- 
Configure bugmail: http://sourceware.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.

[Bug stdio/14771] add length sanity check to snprintf

[neleai at seznam dot cz]

https://sourceware.org/bugzilla/show_bug.cgi?id=14771

Ondrej Bilka <neleai at seznam dot cz> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |neleai at seznam dot cz

--- Comment #1 from Ondrej Bilka <neleai at seznam dot cz> ---
Did you post a patch since sending this bug?

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug stdio/14771] add length sanity check to snprintf

[bugdal at aerifal dot cx]

https://sourceware.org/bugzilla/show_bug.cgi?id=14771

Rich Felker <bugdal at aerifal dot cx> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |bugdal at aerifal dot cx

--- Comment #2 from Rich Felker <bugdal at aerifal dot cx> ---
snprintf is required by POSIX to return a negative value and set errno to
EOVERFLOW if the n argument is greater than INT_MAX. Actually I find it
difficult to see how this requirement is compatible with ISO C, which makes no
such requirement or allowance for what would otherwise be a spurious error, so
perhaps this should be filed as a bug against POSIX; an interpretation is
needed, at least. But assuming the requirement in POSIX stands, it's a bug for
glibc not to report an error when n is greater than INT_MAX.

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug stdio/14771] add length sanity check to snprintf

[bugdal at aerifal dot cx]

https://sourceware.org/bugzilla/show_bug.cgi?id=14771

--- Comment #3 from Rich Felker <bugdal at aerifal dot cx> ---
I've reported the issue with the possible conflict between the standards on the
Austin Group tracker here:

http://austingroupbugs.net/view.php?id=761

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug stdio/14771] add length sanity check to snprintf

[fweimer at redhat dot com]

https://sourceware.org/bugzilla/show_bug.cgi?id=14771

--- Comment #4 from Florian Weimer <fweimer at redhat dot com> ---
The Austin Group has decided not to updated POSIX.

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug stdio/14771] add length sanity check to snprintf

[fweimer at redhat dot com]

https://sourceware.org/bugzilla/show_bug.cgi?id=14771

Florian Weimer <fweimer at redhat dot com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |ASSIGNED

--- Comment #5 from Florian Weimer <fweimer at redhat dot com> ---
Patch posted: https://sourceware.org/ml/libc-alpha/2013-10/msg00630.html

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug stdio/14771] add length sanity check to snprintf

[joseph at codesourcery dot com]

http://sourceware.org/bugzilla/show_bug.cgi?id=14771

--- Comment #6 from joseph at codesourcery dot com <joseph at codesourcery dot com> ---
The Austin Group appears to have failed to address the conflict with C11 
semantics.  Is the Austin Group / WG14 liaison taking this up with WG14, 
if the Austin Group view is that the C11 specifications are defective?

A fortification check obviously doesn't address the POSIX semantics, so a 
separate bug would need opening for those if this one is considered to be 
about fortification only.

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug stdio/14771] add length sanity check to snprintf

[fweimer at redhat dot com]

https://sourceware.org/bugzilla/show_bug.cgi?id=14771

Florian Weimer <fweimer at redhat dot com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
              Flags|                            |security-

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug stdio/14771] add length sanity check to snprintf

[jsm28 at gcc dot gnu.org]

https://sourceware.org/bugzilla/show_bug.cgi?id=14771

Joseph Myers <jsm28 at gcc dot gnu.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |msebor at gmail dot com

--- Comment #7 from Joseph Myers <jsm28 at gcc dot gnu.org> ---
*** Bug 29379 has been marked as a duplicate of this bug. ***

-- 
You are receiving this mail because:
You are on the CC list for the bug.